2026 Incident Cost Benchmarks: Cross-Source Aggregate
No single published source captures the complete picture of incident cost in 2026. The honest answer to "what does an incident cost?" depends on what kind of incident, in what sector, in what region, with what regulatory implications, and on whose definition of "cost." This page consolidates the major published 2024-2026 benchmarks across IBM, Verizon, Sophos, Coveware, FBI IC3, Resilience, and Mandiant, with explicit notes on what each measures and where they diverge. Use each source for its question; triangulate where you can; document your assumptions when you cannot.
The Master Benchmark Table
The single-table cross-source view. Each row is a published benchmark. The "Measure" column documents what is being counted; the "Source" column documents who published and when.
| Benchmark | Number | Measure | Source |
|---|---|---|---|
| Global average breach cost | $4.44M | All-cause breach across surveyed orgs | IBM CODB 2025 |
| US average breach cost | $10.22M | US-headquartered surveyed orgs | IBM CODB 2025 |
| Healthcare breach cost (highest sector) | $7.42M | Healthcare cohort average | IBM CODB 2025 |
| Public sector breach cost (lowest sector) | $2.70M | Public sector cohort average | IBM CODB 2025 |
| Ransomware mean recovery cost (cross-sector) | $2.73M | Recovery cost excluding ransom | Sophos State of Ransomware 2024 |
| Ransomware mean recovery cost (healthcare) | $2.57M | Healthcare-specific recovery | Sophos State of Ransomware in Healthcare 2024 |
| Cross-sector median ransom payment | ~$400K | Coveware H2 2024 quarterly average | Coveware quarterly |
| Healthcare median ransom payment | ~$1.5M | Sophos healthcare cohort | Sophos 2024 |
| Ransomware payment rate | ~30% | Continuing decline from ~76% in 2019 | Coveware quarterly |
| Median ransomware downtime | 16-24 days | From encryption event to operational restoration | Coveware quarterly |
| Insider threat (credential theft) | $779K | Cost per incident | Ponemon Cost of Insider Risks 2025 |
| P1 / Sev 1 incident cost | $794K | Average cost per P1 event | PagerDuty State of Digital Operations 2024 |
| Average BEC loss | ~$137K | Average loss per BEC complaint reported | FBI IC3 Internet Crime Report 2024 |
| Total IC3-reported cyber losses (US) | $16B+ | Calendar year 2024 reported | FBI IC3 2024 |
| Mean breach detection lifecycle | 258 days | Detection plus containment, cross-industry | IBM CODB 2025 |
| Cost reduction with AI/automation | -$2.22M avg | Versus orgs without extensive AI/automation | IBM CODB 2025 |
What Each Source Actually Measures
Apparent contradictions across published sources usually reflect different methodologies. The honest reading requires understanding what each source counts and what it excludes.
| Source | Methodology | Best For |
|---|---|---|
| IBM Cost of a Data Breach | Annual survey of approximately 600 organisations that experienced a breach; activity-based costing across four phases (detection/escalation, notification, post-breach response, lost business) | Per-breach average cost, sector and country breakouts, control-impact analysis |
| Verizon DBIR | Aggregates approximately 30,000 incidents annually from 100+ contributing organisations including law enforcement, insurance carriers, and IR firms | Breach-cause distribution, threat-actor analysis, attack-pattern frequency |
| Sophos State of Ransomware | Annual survey of approximately 5,000 IT and cybersecurity leaders globally | Ransomware attack rate, recovery cost, payment rate by sector and region |
| Coveware quarterly | Real cases Coveware handled as IR firm; not a survey, actual data from negotiations | Median ransom paid, downtime, payment rate, threat-actor distribution |
| Resilience Cyber Risk Report | Underwriter view; claims data and policy-portfolio analysis | Insurance-claim severity by control posture; underwriting-relevant view |
| FBI IC3 Internet Crime Report | Voluntary complaints filed at ic3.gov; necessarily underrepresents actual losses | Reported cyber-crime totals, BEC losses, scam categorisation |
| Mandiant M-Trends | Mandiant's IR engagement data; nation-state and APT focus | Dwell time, attack-vector distribution, threat-actor TTPs |
| Ponemon Cost of Insider Risks | Annual survey of approximately 1,000 organisations on insider-risk experience | Insider incident cost by category (negligent, malicious, credential theft) |
| PagerDuty State of Digital Operations | Survey of operations leaders; incident-management focus | Per-P1-incident cost; on-call practice trends |
The 2025-2026 Year-Over-Year Story
The single most reported 2025 narrative is the 9% YoY decrease in IBM's CODB headline number, the first reported decline in the report's 19-year history. The decline is attributed primarily to faster identification and containment driven by AI and automation. Whether 2026 sustains the trend or reverts to the long-run upward trajectory will be the central question of the next IBM CODB release in mid-2026.
Several other 2024-2025 trends are visible across multiple sources. Ransomware payment rates continue to decline (Coveware reports under 30% in recent quarters, down from 76% in 2019), driven by improved backups, OFAC compliance, and customer/regulator preference. Median ransom amounts have plateaued or declined slightly, though mean amounts continue to rise as outlier whales become more expensive. Recovery cost continues to rise (Sophos data shows 2024 cost up roughly 50% YoY), suggesting that operators are inflicting more operational damage even as they extract less in payment.
Identity-platform and supply-chain compromises (Okta 2022/2023, CircleCI 2023, Snowflake-related 2024, MOVEit 2023) continue to produce ecosystem-scale damage that no single benchmark captures cleanly. The 2026 cost picture for these incident types is probably best estimated as 5-15x the directly-reported provider-side cost, given the customer-of-customer cleanup work that ripples through the ecosystem.
How to Use These Benchmarks
Three rules of thumb for using published incident-cost benchmarks responsibly.
- Anchor to your sector and size, not the global mean. The IBM CODB headline of $4.44M is an aggregate across an extremely heterogeneous population. For a 1,000-employee mid-market SaaS company, the more relevant anchor is the technology-sector average ($5.47M) adjusted by size cohort. For a small county government, anchor to the public-sector average ($2.70M) adjusted by size and known municipal-ransomware comparables.
- Use multiple sources for the same question. If you are estimating ransomware exposure, look at IBM CODB ransomware-specific data, Sophos ransomware-specific recovery cost, Coveware median ransom, and Mandiant M-Trends dwell-time data. Triangulate; do not pick one number and treat it as truth.
- Document your assumptions. Loss-given-incident estimates that go into capital-planning, cyber insurance buying, or board-level risk reporting should explicitly cite which benchmarks were used, why they were chosen, and what adjustments were applied. Defensible methodology matters more than precise numbers.